Chapter 2 Understanding Identity and Access Management Flashcards
___________ occurs when users claim (or profess) their identity with identifiers such as usernames or email addresses.
Identification
Users then prove their identity with _________, such as with a password.
Authentication
True or False : You can’t have any type of access control if you can’t identify a user.
True
True or False : Authentication, authorization, and accounting (AAA) work together with identification to provide a comprehensive access management system.
True
Users are granted __________ to access resources based on their proven identity.
Authorization
___________ methods track user activity and record the activity in logs.
Accounting
An _____ ____ allows security professionals to re-create the events that preceded a security incident.
Audit trail
True or False : A use case of supporting authentication may require administrators to implement one factor of authentication for basic authentication, two factors for more secure authentication, or more factors for higher security.
True
List factors for authentication
- Something you know - PIN, password
- Something you have - CAC, Smart card
- Something you are - Biometric - fingerprint, retina, face
- Something you are such as you location
- Something you do - pattern swipe, gestures
The ________ __ _____ authentication factor typically refers to a shared secret, such as a password or even a PIN.
Something you know
What is the least secure form of authentication?
Something you know
True or False :
A strong password is of sufficient length, doesn’t include words found in a dictionary or any part of a user’s name, and combines at least three of the four following character types:
• Uppercase characters (26 letters A–Z)
• Lowercase characters (26 letters a–z)
• Numbers (10 numbers 0–9)
• Special characters (32 printable characters, such as !, $, and *)
True
What does MS recommend for minimum password length as of 2016?
14 characters
True or False : The combination of different characters in a password makes up the key space, and you can calculate the key space with the following formula: C^N (CN). C is the number of possible characters used, and N is the length of the password
True
True or False : An attacker can crack a 10-character password using only lowercase characters (141 trillion possibilities)in less than two hours.
True
Why do security experts say that too complex passwords are less secure?
Because it is more difficult to remember and users will likely write it down or store in an insecure file.
True or False : Complex passwords use a mix of character types. Strong passwords use a mix of character types and have a minimum password length of at least 14 characters
True
True or False : It’s not important for an organization to provide adequate training to users on password security.
(Page 172).
False
It is important
True or False : Users should change their passwords regularly, such as every 45 or 90 days.
True
True or False : Before resetting passwords for users, it’s important to verify the user’s identity. When resetting passwords manually, it’s best to create a temporary password that expires upon first use.
True
A _______ _______ system remembers past passwords and prevents users from reusing passwords
Password history
True or False : It’s common for password policy settings to remember the last 24 passwords and prevent users from reusing these until they’ve used 24 new passwords
True
_____ ______ allows an administrator to configure a setting once in a ______ ______ ______ and apply this setting to many users and computers within the domain.
Group Policy, Group Policy Object (GPO)
True or False : Group Policy is implemented on a domain controller within a domain. Administrators use it to create password policies, implement security settings, configure host-based firewalls, and much more
True
A common group of settings that administrators configure in Group Policy is the _______ Policy settings
Password
List some of the elements of password policies
- Minimum password age - to prevent users from reusing a previous password
- Maximum password age - to trigger expiration
- Minimum password length - to promote complexity
- Password complexity requirements - to promote complexity
True or False : Accounts will typically have lockout policies preventing users from guessing the password
True
List two key phrases associated with lockout policies
- Account lockout threshold - number of attempts before locking account
- Account lockout duration - length of time before account is unlocked
A basic security practice is to change _______ settings before putting a system into use.
Default
True or False : Some administrators create a dummy account named administrator which has no permissions.
True
If an attempt is made with this account the system will lock the account out and alert administrators
The _______ ___ _____ authentication factor refers to something you can physically hold.
Something you have
_____ ______ are credit card-sized cards that have an embedded microchip and a certificate. Users insert them into a reader, similar to how someone would insert a credit card into a credit card reader.
Smart cards
List the requirements for a smart card
- Embedded certificate - cert holds a user’s private key and matched with a public key (available to others for use). Private key is used each time the user logs on
- Public Key Infrastructure (PKI) - supports issuing and managing certs
A _____ ______ _____ is a specialized type of smart card used by the U.S. Department of Defense.
Common Access Card (CAC)
True or False : A CAC card includes a photo of the user and can be used as a form of identification
True
A _______ _____ ________ card is a specialized type of smart card used by U.S. federal agencies. It also includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users, just as a CAC does
Personal Identity Verification (PIV)
True or False : Smart cards are often used with dual-factor authentication where users have something (the smart card) and know something (such as a password or PIN). Smart cards include embedded certificates used with digital signatures and encryption. CACs and PIVs are specialized smart cards that include photo identification. They are used to gain access into secure locations and to log on to computer systems.
True
A ______ or ___ __ is an electronic device about the size of a remote key for a car
token or key fob (sometimes simply called a fob)
True or False : A token includes a liquid crystal display (LCD) that displays a number, and this number changes periodically, such as every 60 seconds.
True
The _____ is synced with a server that knows what the number is at any moment.
Token
_______ ______ ___ ____ ______ is an open standard used for creating one-time passwords, similar to those used in tokens or key fobs.
HMAC-based One-Time Password (HOTP)
True or False : A password created with HOTP remains valid until it’s used.
True
A ____ _____ ___ ____ _______ is similar to HOTP, but it uses a timestamp instead of a counter.
Time-based One-Time Password (TOTP)
True or False : One significant benefit of HOTP and TOTP is price. Hardware tokens that use these open source standards are significantly less expensive than tokens that use proprietary algorithms
True
TOTP expires after __ seconds
30
The ________ ___ ___ authentication factor uses biometrics for authentication
Something you are
True or False : Biometric methods are the strongest form of authentication because they are the most difficult for an attacker to falsify.
True
________ use a physical characteristic, such as a fingerprint, for authentication
Biometrics
List some types of biometrics
- Fingerprint scanner
- Retina scanner
- Iris scanner
- Voice recognition
- Facial recognition
True or False : A drawback with facial recognition is that it is sometimes negatively affected by changes in lighting.
True
List two biometric false readings
- False acceptance
2. False rejection
The _____ ______ ____ identifies the percentage of times false acceptance occurs
False acceptance rate
The _____ _________ ____ identifies the percentage of times false rejections occur
False rejection rate
True or False : True acceptance is when the biometric system accurately determines a positive match
True
True or False : True rejection occurs when the biometric system accurately determines a non-match
True
By increasing the sensitivity for a biometric, it ________ the number of false matches and ________ the number of false rejections
Decreases, increases
Decreasing the sensitivity for a biometric ______ the false matches and ________ the false rejections.
Increases,decreases
True or False : By plotting the FAR and FRR rates using different sensitivities, you can determine the effectiveness of a biometric system
True
The ________ ____ ____ is the point where the FAR crosses over with the FRR
Crossover error rate (CER)
True or False : A lower CER indicates that the biometric system is more accurate
True
The _______ ___ ___ authentication factor identifies a user’s location
Somewhere you are
True or False : Many authentication systems use the Internet Protocol (IP) address for geolocation
True
True or False : Within an organization, it’s possible to use the computer name or the media access control (MAC) address of a system for the somewhere you are factor
True
The ________ ___ __ authentication factor refers to actions you can take such as gestures on a touch screen
Something you do
True or False : Some examples of something you do are gestures, keystroke dynamics
True
____ _____ ____________ uses two different factors of authentication, such as something you have and something you know
Dual-factor authentication (sometimes called two-factor authentication)
__________ ____________ uses two or more factors of authentication
Multifactor authentication
True or False : Using two methods of authentication in the same factor is dual- factor authentication.
False
They must be two different factors
True or False : Using two or more methods in the same factor of authentication (such as a PIN and a password) is single-factor authentication. Dual-factor (or two-factor) authentication uses two different factors, such as using a hardware token and a PIN. Multifactor authentication uses two or more factors
True
______ is a network authentication mechanism used within Windows Active Directory domains and some Unix environments known as realms
Kerberos
True or False:
The requirements for kerberos are:
- Method of issuing tickets used for authentication
- Time synchronization - v5 all systems synced within five minutes of each other
- A database of subjects or users i.e. MS AD
True
The __ _______ _____ uses a complex process of issuing ticket granting tickets (TGTs) and other tickets.
Key Distribution Center (KDC)
Kerberos uses _________ ___ cryptography to prevent unauthorized disclosure and to ensure confidentiality.
Symmetric-key
___ ______ ___ ______ is a suite of protocols that provide authentication, integrity, and confidentiality within Windows systems
New Technology LAN Manager (NTLM)
True or False : Developers should use the Negotiate security package within their applications since it selects the most secure security protocols available between the systems
True
_________ ______ ______ _______ specifies formats and methods to query directories.
Lightweight Directory Access Protocol (LDAP)
True or False : Windows domains use Active Directory, which is based on LDAP. Active Directory is a directory of objects (such as users, computers, and groups), and it provides a single location for object management.
True
True or False : LDAP Secure (LDAPS) uses encryption to protect LDAP transmissions.
True
True or False : LDAP is based on an earlier version of X.500. Windows Active Directory domains and Unix realms use LDAP to identify objects in query strings with codes such as CN=Users and DC=GetCertifiedGetAhead. LDAPS encryptstransmissions with TLS
True
______ ___ __ refers to the ability of a user to log on or access multiple systems by providing credentials only once
Single sign-on (SSO)
True or False : SSO increases security because the user only needs to remember one set of credentials and is less likely to write them down. It’s also much more convenient for users to access network resources if they only have to log on one time.
True
True or False : The SSO system typically creates some type of SSO secure token used during the entire logon session. Each time the user accesses a network resource, the SSO system uses this secure token for authentication. Kerberos and LDAP both include SSO capabilities.
True
SSO requires strong ___________ to be effective.
Authentication
A _______ trust creates an indirect trust relationship.
Transitive
A –> B –> C : A –> C
True or False : There is a two-way trust between parent domain and child domain. Child domains also have a two way transitive trust with each other thru their relationship with the parent domain
True
True or False : Without a trust relationship, separate accounts need to be created per domain
True
________ ______ _______ _______ is an Extensible Markup Language (XML)– based data format used for SSO on web browsers.
Security Assertion Markup Language (SAML)
List three SAML defined roles
- Principal - typically a user
- Identity provider - creates, maintains, and manages identity information
- Service provider - an entity that provides services to principals
True or False : The primary purpose of SSO is for identification and authentication of users.
True
True or False : SSO provides authorization
False
True or False : Many federation SSO systems, including SAML, include the ability to transfer authorization data between their systems
True
True or False : It’s possible to use SAML for single sign-on (SSO) authentication and authorization
True
True or False : SSO systems can connect authentication mechanisms from different environments i.e. different operating systems
True
A _________ requires a federated identity management system that all members of the federation use
Federation
True or False : Members of the federation agree on a standard for federated identities and then exchange the information based on the standard. A federated identity links a user’s credentials from different networks or operating systems, but the federation treats it as one identity.
True
_____ is an open standard for authorization many companies use to provide secure access to protected resources.
OAuth
True or False : With OAuth, you can often use the same account that you’ve created with Google, Facebook, PayPal, Microsoft, or Twitter
True
______ Connect works with OAuth 2.0 and it allows clients to verify the identity of end users without managing their credentials.
OpenID
_______ _________ is concerned with the creation, management, disablement, and termination of accounts.
Account management
_____ _________ specifies that individuals and processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more.
Least privilege
A primary goal of implementing least privilege is to ______ risks
Reduce
Least privilege is a _______ control.
Technical
True or False : The principle of need to know is that users are granted access only to the data and information that they need to know for their job.
True
What is the difference between least privilege and need to know?
The difference is that least privilege focuses on access (rights and permissions) and need to know focuses on data and information
List some common types of accounts
- End user accounts
- Privileged accounts
- Guest accounts
- Service accounts
A _________ account has additional rights and privileges beyond what a regular user has
Privileged
True or False : Administrators commonly disable the Guest account and only enable it in special situations.
True
Some applications and services need to run under the context of an account and a _______ account fills this need.
Service
True or False : Service accounts are like regular end user accounts except it’s only being used by a service or application.
True
True or False : One of the challenges with service accounts is that they often aren’t managed.
True
True or False : It’s common to require administrators to have two accounts. They use one account for regular day-to-day work. It has the same limited privileges as a regular end user. The other account has elevated privileges required to perform administrative work, and they use this only when performing administrative work
True
True or False : Users should not use shared accounts
True
Many organizations have a _________ policy that specifies how to manage accounts in different situations.
Disablement
True or False : Disabling accounts is preferred over deleting the account, at least initially. If administrators delete the account, they also delete any encryption and security keys associated with the account. However, these keys are retained when the account is disabled.
True
True or False : Some contents of an account disablement policy:
- Terminated employee
- Leave of absence
- Delete account
True
True or False :
An account disablement policy identifies what to do with accounts for employees who leave permanently or on a leave of absence. Most policies require administrators to disable the account as soon as possible, so that ex-employees cannot use the account. Disabling the account ensures that data associated with it remains available. Security keys associated with an account remain available when the account is disabled, but are no longer accessible if the account is deleted.
True
True or False : Two primary account recovery scenarios are:
- Enable a disabled account
- Recover a deleted account
True
____ __ ___ restrictions specify when users can log on to a computer. If a user tries to log on to the network outside the restricted time, the system denies access to the user
Time-of-day
True or False with time of day restrictions once the end of day threshold has been reached it automatically logs out active sessions
False
It leaves active sessions but does not allow new sessions
_______ _____ policies restrict access based on the location of the user
Location-based
True or False : With location based policies you can either blacklist or whitelist IP addresses or filter MAC addresses
True
True or False : It’s possible to set user accounts to expire automatically. When the account expires, the system disables it, and the user is no longer able to log on using the account
True
Administrators routinely perform account maintenance. This is often done with _____ to automate the processes
Scripts
A __________ is a collection of information that provides an identity (such as a username) and proves that identity (such as with a password).
Credential
List some examples of credential management systems
- Windows 10 Credential Manager
- Google Chrome
These store credentials in secure vaults for future use
______ control ensures that only authenticated and authorized entities can access resources.
Access
______ _____ access control (role-BAC) uses roles to manage rights and permissions for users.
Role-based
True or False : With role-BAC, an administrator creates the roles and then assigns specific rights and permissions to the roles (instead of to the users). When an administrator adds a user to a role, the user has all the rights and permissions of that role.
True
True or False : It’s common to document role-based permissions with a matrix listing all of the job titles and the privileges for each role.
True
Role-BAC is also called _________-based or job-based:
Hierarchy
True or False : Administrators commonly grant access in the role-BAC model using roles, and they often implement roles as groups known as group-based access control
True
True or False : In Windows, The Administrators group is an example of a built-in security group.
True
True or False : Without groups, you would use user-assigned privileges. In other words, you would assign all the specific rights and permissions for every user individually. This might work for one or two users, but quickly becomes unmanageable with more users.
True
True or False : Group-based privileges reduce the administrative workload of access management. Administrators put user accounts into security groups, and assign privileges to the groups. Users within a group automatically inherit the privileges assigned to the group.
True
____-based access control (____-BAC) uses ____.
Rule(s)
Routers and firewalls use _____ within access control lists (ACLs). These _____ define the traffic that the devices allow into the network, such as allowing Hypertext Transfer Protocol (HTTP) traffic for web browsers. These _____ are typically static. In other words, administrators create the ______ and the ______ stay the same unless an administrator changes them again.
Rules
True or False : Some rules can be dynamic.
True
For example, intrusion prevention systems can detect attacks, and then modify rules to block traffic from an attacker.
True or False : it’s possible to configure user applications with rules i.e. database rule to trigger a change to permissions
True
In the _________ access control (DAC) model, every object (such as files and folders) has an owner, and the owner establishes access for the objects.
Discretionary
True or False : A common example of the DAC model is the New Technology File System (NTFS) used in Windows.
True
True or False : Microsoft systems identify users with security identifiers (SIDs)
True
True or False : Every object (such as a file or folder) includes a discretionary access control list (DACL) that identifies who can access it in a system using the DAC model. The DACL is a list of Access Control Entries (ACEs). Each ACE is composed of a SID and the permission(s) granted to the SID.
True
True or False : An inherent flaw associated with the DAC model is the susceptibility to Trojan horses.
True
The _________ access control (MAC) model uses labels (sometimes referred to as sensitivity labels or security labels) to determine access.
Mandatory
True or False : With MAC security administrators assign labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don’t match, the access model blocks access.
True
True or False : Security-enhanced Linux (SELinux)is one of the few operating systems using the mandatory access control model.
True
The MAC model uses different levels of security to classify both the users and the data. These levels are defined in a _____.
Lattice
True or False : The MAC model uses sensitivity labels for users and data. It is commonly used when access needs to be restricted based on a need to know. Sensitivity labels often reflect classification levels of data and clearances granted to individuals
True
True or False : An administrator is responsible for establishing access, but only someone at a higher authority can define the access for subjects and objects.
True
An ________-based access control (ABAC) evaluates ________ and grants access based on the value of these _________.
Attribute(s)
NIST 800-162
True or False : ABAC uses policies to evaluate attributes and grant access when the system detects a match in the policy.
True
True or False : Many software defined networks (SDNs) use ABAC models. Instead of rules on physical routers, policies in the ABAC system control the traffic. These policies typically use plain language statements.
True
True or False : ABAC policies typically include the following four elements:
- Subject - user
- Object - resource being accessed
- Action - what the user is attempting to do
- Environment - includes everything outside of the subject and object attributes. This is often referred to as the context of the access request.
True
